Security researchers at Infoblox have detected a new malware campaign they are calling Decoy Dog. The campaign has all the hallmarks of an espionage campaign, but the researchers have not been able to determine the identity of the nation-state behind it.
The campaign appears to be using a modified version of the open-source remote access tool Pupy. Pupy is a powerful tool that can be used to control a device remotely, and it can bypass detection from most antivirus applications. Decoy Dog builds on Pupy by adding new features that make it more difficult to detect.
Pupy is designed to provide continuous communications between infected clients and the server so that when the actor wants to remotely access the client, the connection is already established. The actor is able to monitor connected clients and selectively command them to provide a wide range of actions. The DNS is used only for C2 communications.
Any significant data exfiltrated from the client is sent over one of the many other transport options offered by Pupy. As a result, the Pupy DNS client is restricted to checking in with the controller, acknowledging commands, providing system information, and a handful of other duties.
Infoblox estimates that more than 100 devices have already been infected with Decoy Dog. The company believes that as many as four groups could be deploying the malware. Many of the suspicious domain names linked to the campaign are tied to Russian IP addresses, according to the report, but researchers can’t say with certainty that Russia is behind the attack. But Infoblox has only discovered the underlying foundation of the campaign so far.
The sources for this piece include an article in Axios.
